Ramses Gallego - Identity Governance in the Context of a Connected Security Strategy

So at this point, what I'd like to do is introduce Ramsey's galago Ramsey's I'm sorry, I didn't see you over there. Chief's a security strategist from Dell. Who's gonna talk to us about identity governance and a connected security strategy. That's correct. Thank you, sir. Context. Context is everything. Context is instrumental for success. When something happens, we all want to know what happened, who approved it? When did it happen from where to where it happened. So we need to understand con context in order to fully understand and assess a situation.

Well, good evening. My name is Ram Gago I'm security, strategist and evangelist with Dell software. I'm honored of being as well international vice president for OSAA Porwal directors. And in the next 19 minutes, I'm gonna be covering a quite interesting topic in a plus decade, old discipline, like identity and access management. I'm gonna be covering identity governance in the context of a robust and solid, connected security strategy. And when I was preparing the session, I'd look for the definition in the dictionary of context.

And it says that context is the, are the circumstances that form a setting for an event and in terms of which it can be fully understood and assessed synonyms for context is gaining perspective factors, background, the environment, conditions and identity management, excuse me, identity governance is second to none on that.

We need to understand context who has access, access to what, when and how, who approved it from where to where in identity governance is not only important the destiny, but the origin, the device, because this world changing at the speed of light, this is the it, the society, the communities we live in, there are things happening in your industries, in our industries that fundamentally change the way we live, work and play and behave. The Analyst call it the nexus of forces. The combination of forces, you name it, cloud big data analytics, social geolocation, Spion activism.

Those things have been happening. But unfortunately, unfortunately we have been managing in silos and silos kind of worked in the past, but in security, they bring problems. They bring inconsistency, and I'm not only talking about applications and systems. We all are here. Understand that we have to have no system left behind on any identity and access management. That's what we say at Dell and the rest of my colleagues and competitors and friends.

They, we all say the same, no system left behind no application, no server. That's correct. But what I'm talking here is that not only silos in the it space, but in the context arena, we have fantastically fantastic network solutions. We have firewalls and switches and routers that can talk with the back office. We do. You probably all do. At least we have Dell. So what we do, and this is the time because we feel at Dell software, that this is not an era of changes. This is the change of an era.

This is the change of an era, the things that are happening, change the way we live, work and play. And, and we believe that there's a better way of managing that because we have massive infrastructure around that can tell us the environment, the factors, the conditions, the variables, the different variables that we have to factor into our risk equation, into our risk equation. I didn't say it. I haven't mentioned it risk in this re of course, because at the end of the day, it's business risk. It's the appetite of risk, the risk equation.

And by the way, risk happens when there's a threat exploitable, Notability with a probability of that happening. And that has to have an impact. And unfortunately, if we manage identity and access management, haven't set governance yet identity and access management in silos, that brings too much human error. That brings no automation. And that's so directing targeted into mistakes. And there's a better way for doing that because we at Dels, we have been obsessed of business first business first and business first. And when you finish business first, this graph in here that it's from Osaka.

What you see on top of that, it doesn't say legal. It doesn't say facilities. It doesn't say it. It doesn't say audit. It says business and the business has requirements. And then the rest flows. It processes key performance indicators, cables, indicators, control, guidelines, policies, procedures, but on top of that is business.

First, another way of seeing that is this graph. But on top of that, before going into enterprise architecture, before deciding cloud yes or cloud, no, or by X, by O D if you, if you want, but by O X, I will go into that if I have time in a minute, but before deciding the enterprise architecture first is enterprise strategy and the enterprise strategy has business goals, goals for it, business goals for it, and then it goals. And then, and only then enterprise architecture.

So when you decide your next identity and access governance project, or piece of the, of the, of the project has to be aligned with enterprise strategy, full stop. That's what we say at Dell software and network security, data security and application security play an instrumental role in that. So forget about the silo, steer down the silos because this world is already hyper connected. If I may say you've seen it in my second slide, we build it, you know, from the mainframe into the distributed business. And I'm not talking about it.

I'm talking about business risk, and I'm gonna show you later. And the title of the session is identity governance for a reason, because we feel we need to go beyond management management is, is, is, is fantastic.

It's the, we feel is the day to day the execution part and don't get me wrong. That's very important. But governance is that overarching umbrella that if I take the next definition of governance, national Institute for standards and technology in the us, it has four columns or four pillars. The first one is setting a strategic direction, making sure that objectives are met. Okay. Probably some of you are thinking, yeah, but that's, that's not my, my, my arena, my department, I'm just setting a strategic direction and making sure that objectives are met. This is not my world.

I tend to disagree, but okay. Let's, let's, let's accept it for a moment. The other two pillars of the governance definitions are ascertaining that the risks are managed and resources are used in a responsible way. Ascertaining that risks are managed and their resources are used in a responsible way. What's our resource. The network is a resource. The documented in the SharePoint farm is a resource. The cloud is a resource. A process is a resource people, if you will. And like people seeing as a resource, but you know, capabilities and skills are a resources and moral and ethics and culture.

So the time has come to bring all those and factor into the factor them into the risk equation because that that's governance ascertaining the risks are managed and resources are used in a responsible way. And those magical solutions that are around again on switching, routing, firewall, next generation firewalls. They have a lot of information. They can trace me back and they can know if Rames is connecting, connecting into Salesforce or into SAP from, from an friendly geography. I don't know you name it.

I'm not against any country, as you may imagine, but you know, that's quite a strain that Rames is not in Venezuela today, or shouldn't be, or it's impossible to fly 1000 kilometers in, just have an hour. And he's connecting from different sources. The firewalls know, they know. So we have a bunch of information in there and we have to connect. We at Dell software, we call it connected security for a reason. It's time to connect, tear down the silos. And of course you have to do it across all of your system.

Yes, that's a regular identity and access management approach. No system left behind homegrown applications, commercial applications, GD Edward civil SAP, you name it. But across the myriad, the universe of applications that you have, and that includes application security and or network security. And when I'm thinking on that world, that changes at the speed of light. When I'm visiting CEOs and CEOs around the world.

When, when a breach happens, when a leakage happens, they always ask me Ramsey, why did it happen? Why did it happen? The answer is pretty easy. It happened because it could happen. It happened because it could happen. We enabled it. We didn't ask the right questions to the right people at the right time.

We didn't, we didn't use the information at the firewall at the router at the network security level. We just thought that identity and access management was enough. And he it's been enough, but we have to paint that overarching umbrella called identity governance. And in the context and using the context of a connected security strategy, the guy in the picture is Charles Darwin. I'm using Darwin's theory and it's applicability into it because let me tell you, you, we better, we better understand that world that changes at the speed of light.

We better adapt and adopt into what's happening today. We, we better embrace yeah. The cloud and by X and analytics, we have to with the right attitude, because lemme tell you something security and governance and risk management are attitudes. The right attitude from the employer to the employee, from the employee, with the, with the end user, with the consumer, with the customer, from the government, with the public, from the private sector, with the public sector, from the public sector, with companies, with the private sector, that's the right attitude.

So we better adapt and adopt to what's happening. I'm using Darwin theory. And let me re remind you that not the fastest survives, not the strongest survives, but the most adaptable. You remember Kodak, the picture company, remember Kodak, where's Kodak. Now they used to have 93% of the market, nine, 3% of the market, where are they now gone? They didn't envision what was coming. They didn't adapt and adopt what was happening. Remember Netscape the browser, where are they now gone?

They didn't envision what was coming and in the very same way, whether you work in healthcare, government, education, retail, the automobile industry, we better adapt and adopt and context will give us all those clues in order to bring resiliency. I looked for the word resiliency in the dictionary this morning, and it says the capacity to endure the capacity to endure that's beyond business continuity or disaster recovery resiliency as a, as a word, as a discipline is the capacity to endure.

So we better adapt and adopt to what's happening because not the fastest or stronger survive, but the most adaptable. And we have to understand in the key of identity governance, those business mandates or corporate let's say objectives or boards from left to right, you have managed risk managed cost, improved service internally to users and or externally to end users to consumers and then align it investments full stop.

Yeah, I know your CEO, he or she tells you that it's about profitability and geographical inform. Of course I know. But at the end of the day, at the end of the day, any it project, you do, excuse me, any project, project, business project, you do belongs to one or a combination of those four business mandates. They want to mitigate risk, mitigate cost, improve service, and or align it investments.

And when you think about identity governance, and when you think about application security, data security, network security in the context of a connected security, if you do it rightly an identity governance project, it should, it must manage risk appropriately. It has to manage cost appropriately.

Yeah, no, it costs money to deploy, to maintain, but at the end of the day, it gets you risk from here to here. And that means that gets you cost from here to here in the long run midterm long run. And it does improve service Federation, strong authentication. You name it because my trustability and reliability is subjective in nature. I am trustable to my customer's eyes. I am not trustable because I am, I am trustable because you think that what I'm doing now in stage is kind of reliable and trustable in the very same way.

I am building a framework as a company that is, that makes me trustable to the auditor, to the government and to my end users at the end of the day, and definitely align it investments. And the moment, the moment is now we live in highly, highly, highly regulated industries. The European data privacy act, the healthcare industry, you name it PCI. I come from Spain, the lay organic production datas our data, privacy act each and every country.

And, and as, as a community, as Europe, we are doing that. And it, it is mandated take the ISO takes PCI. It's mandated understanding who has access to what, when and how. And you probably say, but we are already doing that with identity and access management.

Yes, but sometimes in a world that changes at the speed of light. We are missing context. We can tell you next generation firewall, give me that information. So let's go back to basics, go back to the roots who has access to what, when and how, when you have the answers for the first five questions, you get a bonus, you get the why, who has access to what, when and how, what happened, who approved it? You get the why, why? Because the process was broken because nobody cared because the auditor was not doing properly oversight. And I think that's quite important.

Isn't it going back to basics in a world that changing at the speed of light, we have been managing in silos, boom, tear down the silos, go back to basics and context will give us those five first answers. And then we might in fear guess, or even know explicitly the why. And that's what my CEO wants. That what the government wants. That's what the editor wants and building. We've built software with the idea of toxic combination. Let me tell you, what's the appetite of risk. Let me tell you what, I'm, what I'm addressing. Let me fully understand and assess my risk.

What we are seeing up there is a toxic combination. Rams is accessing critical data from again, a country. I don't know, Venezuela, China, Spain with the iPad, which is a non-IT approved device. Let me do just in time provisioning. Let me tell Ramses. I know you're a trusted person.

I am, but your environment is not trusted enough. That's so cool. And we can, we can do that now, because as you can see in this screenshot, this is about enterprise risk management E RM. I didn't say it risk, not it risk anymore. This is enterprise risk management, policy evaluations, compliance rules, rule violations, top 10 high risk objects, objects. And I'm telling my auditor, this is my risk profile, not it anymore.

So this is our kind of a picture being Dell and Dell software of our connected security strategy on three pillars from left to right network, application security, network security and data security. And then of course we are Dell. We create hardware at the bottom. You can see that each and every PC hardware network out of the assembly line is the most secure ever. And on top of that, you see services. That's what, why we call it connected security because no one and I mean it, no one can match that kind of portfolio. We breed security. Michael Dell has said that security is within our DNA.

Not only at the center of the slide, you can see security in software, but at the bottom of hardware. And on top of that on services, we call it Dell connected security. We believe in a security that that has to connect with infrastructure, a security that has to connect with information and a security that has to connect with other security products.

Again, we call it security products, products, and we can talk about that in the booth, but it it's our app vision with B and our mission with them and talking about vision. We have to have that kind of vision, no system left behind leave fears behind trusting the technology arena. This is not again it anymore. This is business orientation, whatever you have to do, it has to be with these pillars in mind, business focused process driven results oriented. That's what we do. Business focused process driven, results oriented, having that vision because we are there.

We feel that is the time for security to stop being negative in nature. How many, what are the birds that you use for security block? Stop deny really? That's it? Why don't we use the security that connects that builds that brings agility, all those kind of things. We have security that does that, and that's the value. So the positive size of security and the time has come to start building bridges because context will give us that information. This is not about more access it's about better access, granular access.

So let me, let me close with, have one minute. Let me close with just one before saying thank you with just one quote, I quote Edison that Edison said two quotes. Edison said that about the vision, having a holistic vision, right? So a vision without execution is a hallucination.

So we, we not only have the vision, but without the proper execution, it's a hallucination. It's just a vision. And in terms of change, let me close with a quote from mother therea, mother therea from kakuta. And we have been my colleagues here on states have been talking about change and the velocity of change and day of tomorrow, etcetera, let me close just by saying the following about mother therea, she said yesterday is gone. Tomorrow has not yet arrived. We only have today. We only have today. Let us begin. Thank you very much. Thank you. Thank you.

Thank you, sir. I have to tell you that if you were Australians, you'd have hit the beach by now already. You'd be out surfing somewhere and enjoying the waves, but clearly this is the right place for you to be. And your work ethic is amazing. I will have to tell all of my American colleagues about just the, the great work ethic of the European people.